@bulolo/hermes-link 0.1.0

package/dist/chunk-C24HF73Y.js

@@ -0,0 +1,1843 @@
+// src/http/app.ts
+import Koa from "koa";
+import bodyParser from "koa-bodyparser";
+import cors from "@koa/cors";
+import Router3 from "@koa/router";
+
+// src/runtime/logger.ts
+import { appendFile, mkdir, open, readFile, rename, rm, stat } from "fs/promises";
+import os2 from "os";
+import path2 from "path";
+import pino from "pino";
+
+// src/constants.ts
+var LINK_COMMAND = "hermeslink";
+var LINK_VERSION = "0.1.0";
+var LINK_DEFAULT_PORT = 52379;
+var LINK_RUNTIME_DIR_NAME = ".hermeslink";
+var DEFAULT_LOG_FILE = "hermeslink.log";
+var DAEMON_LOG_FILE = "daemon.log";
+var GATEWAY_LOG_FILE = "hermes-gateway.log";
+var DEFAULT_HERMES_API_SERVER_PORT = 8642;
+var PROFILE_API_SERVER_PORT_START = DEFAULT_HERMES_API_SERVER_PORT + 1;
+var PROFILE_API_SERVER_PORT_END = DEFAULT_HERMES_API_SERVER_PORT + 999;
+
+// src/runtime/paths.ts
+import os from "os";
+import path from "path";
+function resolveRuntimeHome() {
+  return process.env.HERMESLINK_HOME?.trim() ? path.resolve(process.env.HERMESLINK_HOME) : path.join(os.homedir(), LINK_RUNTIME_DIR_NAME);
+}
+function resolveRuntimePaths(homeDir = resolveRuntimeHome()) {
+  return {
+    homeDir,
+    identityFile: path.join(homeDir, "identity.json"),
+    configFile: path.join(homeDir, "config.json"),
+    stateFile: path.join(homeDir, "state.json"),
+    credentialsFile: path.join(homeDir, "credentials.json"),
+    databaseFile: path.join(homeDir, "link.db"),
+    conversationsDir: path.join(homeDir, "conversations"),
+    blobsDir: path.join(homeDir, "blobs"),
+    indexesDir: path.join(homeDir, "indexes"),
+    logsDir: path.join(homeDir, "logs"),
+    runDir: path.join(homeDir, "run"),
+    pairingDir: path.join(homeDir, "pairing")
+  };
+}
+
+// src/runtime/logger.ts
+var DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
+var DEFAULT_MAX_FILES = 5;
+var DEFAULT_READ_LIMIT = 200;
+var MAX_READ_LIMIT = 1e3;
+var DEFAULT_MAX_BYTES_PER_FILE = 512 * 1024;
+var LOG_LEVEL_PRIORITY = {
+  debug: 10,
+  info: 20,
+  warn: 30,
+  error: 40
+};
+var FileLogger = class {
+  filePath;
+  paths;
+  maxFileBytes;
+  maxFiles;
+  minLevel;
+  now;
+  queue = Promise.resolve();
+  constructor(options = {}) {
+    this.paths = options.paths ?? resolveRuntimePaths();
+    this.filePath = getLinkLogFile(this.paths, options.fileName);
+    this.maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
+    this.maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+    this.minLevel = options.minLevel ?? "warn";
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+  }
+  debug(message, fields) {
+    return this.write("debug", message, fields);
+  }
+  info(message, fields) {
+    return this.write("info", message, fields);
+  }
+  warn(message, fields) {
+    return this.write("warn", message, fields);
+  }
+  error(message, fields) {
+    return this.write("error", message, fields);
+  }
+  write(level, message, fields) {
+    if (LOG_LEVEL_PRIORITY[level] < LOG_LEVEL_PRIORITY[this.minLevel]) {
+      return Promise.resolve();
+    }
+    const entry = {
+      ts: this.now().toISOString(),
+      level,
+      message,
+      ...fields ? { fields: sanitizeFields(fields) } : {}
+    };
+    const next = this.queue.then(() => this.appendEntry(entry)).catch(() => void 0);
+    this.queue = next;
+    return next;
+  }
+  flush() {
+    return this.queue;
+  }
+  async appendEntry(entry) {
+    await mkdir(this.paths.logsDir, { recursive: true, mode: 448 });
+    const line = `${JSON.stringify(entry)}
+`;
+    await rotateLogFileIfNeeded(this.filePath, Buffer.byteLength(line, "utf8"), this.maxFileBytes, this.maxFiles);
+    await appendFile(this.filePath, line, { mode: 384 });
+  }
+};
+function createFileLogger(options = {}) {
+  return new FileLogger(options);
+}
+function getLinkLogFile(paths = resolveRuntimePaths(), fileName = DEFAULT_LOG_FILE) {
+  return path2.join(paths.logsDir, fileName);
+}
+function getGatewayRuntimeLogFile(paths = resolveRuntimePaths()) {
+  return getLinkLogFile(paths, GATEWAY_LOG_FILE);
+}
+function getGatewayLogFiles(paths = resolveRuntimePaths()) {
+  const runtimeGatewayLog = getGatewayRuntimeLogFile(paths);
+  const effectiveHome = path2.basename(paths.homeDir) === ".hermeslink" ? path2.dirname(paths.homeDir) : os2.homedir();
+  const hermesGatewayErrorLog = path2.join(effectiveHome, ".hermes", "logs", "gateway.error.log");
+  return Array.from(/* @__PURE__ */ new Set([runtimeGatewayLog, hermesGatewayErrorLog]));
+}
+function createRotatingTextLogWriter(options) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const filePath = getLinkLogFile(paths, options.fileName);
+  const maxFileBytes = Math.max(256, Math.floor(options.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES));
+  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+  let queue = Promise.resolve();
+  return {
+    filePath,
+    write(chunk) {
+      const buffer = typeof chunk === "string" ? Buffer.from(chunk, "utf8") : Buffer.from(chunk);
+      if (buffer.length === 0) {
+        return queue;
+      }
+      const next = queue.then(async () => {
+        await mkdir(paths.logsDir, { recursive: true, mode: 448 });
+        await rotateLogFileIfNeeded(filePath, buffer.length, maxFileBytes, maxFiles);
+        await appendFile(filePath, buffer, { mode: 384 });
+      }).catch(() => void 0);
+      queue = next;
+      return next;
+    },
+    flush() {
+      return queue;
+    }
+  };
+}
+async function readRecentLogEntries(options = {}) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const filePath = getLinkLogFile(paths, options.fileName);
+  const limit = clampLimit(options.limit);
+  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
+  const files = [
+    filePath,
+    ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))
+  ];
+  const entries = [];
+  for (const file of files) {
+    const raw = await readTail(file, maxBytesPerFile);
+    if (!raw) continue;
+    const lines = raw.split(/\r?\n/u).filter(Boolean);
+    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
+      const entry = parseLogLine(lines[index]);
+      if (entry) entries.push(entry);
+    }
+    if (entries.length >= limit) break;
+  }
+  return entries.reverse();
+}
+async function readRecentTextLogEntries(options = {}) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const primaryFiles = options.filePaths ?? [getLinkLogFile(paths, options.fileName)];
+  const limit = clampLimit(options.limit);
+  const maxFiles = Math.max(0, Math.floor(options.maxFiles ?? DEFAULT_MAX_FILES));
+  const maxBytesPerFile = Math.max(1024, Math.floor(options.maxBytesPerFile ?? DEFAULT_MAX_BYTES_PER_FILE));
+  const files = primaryFiles.flatMap((filePath) => [
+    filePath,
+    ...Array.from({ length: maxFiles }, (_, index) => rotatedLogFile(filePath, index + 1))
+  ]);
+  const entries = [];
+  for (const file of files) {
+    const tail = await readTailWithMetadata(file, maxBytesPerFile);
+    if (!tail) continue;
+    const lines = tail.content.split(/\r?\n/u).map((line) => line.trim()).filter(Boolean);
+    for (let index = lines.length - 1; index >= 0 && entries.length < limit; index -= 1) {
+      entries.push(parseTextLogLine(lines[index], tail.modifiedAt));
+    }
+    if (entries.length >= limit) break;
+  }
+  return entries.reverse();
+}
+function readRecentGatewayLogEntries(options = {}) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  return readRecentTextLogEntries({
+    ...options,
+    paths,
+    filePaths: options.filePaths ?? getGatewayLogFiles(paths)
+  });
+}
+function createLogger(options) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const logFile = getLinkLogFile(paths, options.fileName);
+  return pino({ level: options.level ?? "warn" }, pino.destination({ dest: logFile, sync: false, mkdir: true }));
+}
+function clampLimit(value) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    return DEFAULT_READ_LIMIT;
+  }
+  return Math.min(MAX_READ_LIMIT, Math.max(1, Math.floor(value)));
+}
+async function rotateLogFileIfNeeded(filePath, nextBytes, maxFileBytes, maxFiles) {
+  const current = await stat(filePath).catch(() => null);
+  if (!current || current.size === 0 || current.size + nextBytes <= maxFileBytes) return;
+  if (maxFiles === 0) {
+    await rm(filePath, { force: true }).catch(() => void 0);
+    return;
+  }
+  await rm(rotatedLogFile(filePath, maxFiles), { force: true }).catch(() => void 0);
+  for (let index = maxFiles - 1; index >= 1; index -= 1) {
+    await moveIfExists(rotatedLogFile(filePath, index), rotatedLogFile(filePath, index + 1));
+  }
+  await moveIfExists(filePath, rotatedLogFile(filePath, 1));
+}
+function sanitizeFields(fields) {
+  return sanitizeObject(fields, 0);
+}
+function sanitizeValue(value, depth) {
+  if (value === null || typeof value === "boolean") return value;
+  if (typeof value === "number") return Number.isFinite(value) ? value : null;
+  if (typeof value === "string") return value.length > 2e3 ? `${value.slice(0, 2e3)}...` : value;
+  if (Array.isArray(value)) {
+    if (depth >= 3) return "[array]";
+    return value.slice(0, 20).map((item) => sanitizeValue(item, depth + 1));
+  }
+  if (typeof value === "object" && value !== null) {
+    if (depth >= 3) return "[object]";
+    return sanitizeObject(value, depth + 1);
+  }
+  return String(value);
+}
+function sanitizeObject(value, depth) {
+  const result = {};
+  for (const [key, child] of Object.entries(value).slice(0, 50)) {
+    if (isSensitiveKey(key)) {
+      result[key] = "[redacted]";
+      continue;
+    }
+    result[key] = sanitizeValue(child, depth);
+  }
+  return result;
+}
+function isSensitiveKey(key) {
+  return /(authorization|cookie|token|secret|password|private[_-]?key|api[_-]?key)/iu.test(key);
+}
+function parseLogLine(line) {
+  try {
+    const value = JSON.parse(line);
+    if (!value || typeof value.ts !== "string" || !isLogLevel(value.level) || typeof value.message !== "string") {
+      return null;
+    }
+    return {
+      ts: value.ts,
+      level: value.level,
+      message: value.message,
+      timestampSource: "structured",
+      ...value.fields && typeof value.fields === "object" ? { fields: value.fields } : {}
+    };
+  } catch {
+    return null;
+  }
+}
+function parseTextLogLine(line, fallbackTimestamp) {
+  const embeddedTimestamp = readTimestampFromTextLog(line);
+  return {
+    ts: embeddedTimestamp ?? fallbackTimestamp ?? null,
+    level: inferTextLogLevel(line),
+    message: line,
+    ...embeddedTimestamp ? { timestampSource: "embedded" } : fallbackTimestamp ? { timestampSource: "file_mtime" } : {}
+  };
+}
+function readTimestampFromTextLog(line) {
+  const iso = /\b\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z\b/u.exec(line);
+  if (iso) return iso[0];
+  const bracketed = /^\[?(?<value>\d{4}-\d{2}-\d{2}[ T]\d{2}:\d{2}:\d{2}(?:\.\d+)?)\]?/u.exec(line);
+  if (!bracketed?.groups?.value) return null;
+  const parsed = new Date(bracketed.groups.value.replace(" ", "T"));
+  return Number.isNaN(parsed.getTime()) ? null : parsed.toISOString();
+}
+function inferTextLogLevel(line) {
+  if (/\b(error|fatal|traceback|failed|failure)\b/iu.test(line)) return "error";
+  if (/\b(warn|warning)\b/iu.test(line)) return "warn";
+  if (/\b(debug|trace)\b/iu.test(line)) return "debug";
+  return "info";
+}
+function isLogLevel(value) {
+  return value === "debug" || value === "info" || value === "warn" || value === "error";
+}
+async function readTail(filePath, maxBytes) {
+  const tail = await readTailWithMetadata(filePath, maxBytes);
+  return tail?.content ?? null;
+}
+async function readTailWithMetadata(filePath, maxBytes) {
+  const info = await stat(filePath).catch(() => null);
+  if (!info || info.size <= 0) return null;
+  const modifiedAt = info.mtime.toISOString();
+  if (info.size <= maxBytes) {
+    const content = await readFile(filePath, "utf8").catch(() => null);
+    return content === null ? null : { content, modifiedAt };
+  }
+  const handle = await open(filePath, "r").catch(() => null);
+  if (!handle) return null;
+  try {
+    const length = Math.min(info.size, maxBytes);
+    const buffer = Buffer.alloc(length);
+    await handle.read(buffer, 0, length, info.size - length);
+    return { content: buffer.toString("utf8"), modifiedAt };
+  } finally {
+    await handle.close();
+  }
+}
+async function moveIfExists(from, to) {
+  await rm(to, { force: true }).catch(() => void 0);
+  await rename(from, to).catch((error) => {
+    if (error.code !== "ENOENT") throw error;
+  });
+}
+function rotatedLogFile(filePath, index) {
+  return `${filePath}.${index}`;
+}
+
+// src/http/routes/system.ts
+import Router from "@koa/router";
+
+// src/autostart/autostart.ts
+import { execFile } from "child_process";
+import { mkdir as mkdir2, readFile as readFile2, rm as rm2, writeFile } from "fs/promises";
+import os3 from "os";
+import path3 from "path";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+var MACOS_LABEL = "com.hermes.link";
+async function enableAutostart() {
+  const definition = await resolveAutostartDefinition();
+  if (!definition) {
+    return unsupportedStatus();
+  }
+  await mkdir2(path3.dirname(definition.filePath), { recursive: true, mode: 448 });
+  await writeFile(definition.filePath, definition.content, { mode: 384 });
+  if (definition.method === "systemd-user") {
+    await execFileAsync("systemctl", ["--user", "enable", path3.basename(definition.filePath)]).catch(async () => {
+      await rm2(definition.filePath, { force: true }).catch(() => void 0);
+      const fallback = xdgAutostartDefinition();
+      await mkdir2(path3.dirname(fallback.filePath), { recursive: true, mode: 448 });
+      await writeFile(fallback.filePath, fallback.content, { mode: 384 });
+    });
+  }
+  return getAutostartStatus();
+}
+async function disableAutostart() {
+  const definitions = await allAutostartDefinitions();
+  for (const definition of definitions) {
+    if (definition.method === "systemd-user") {
+      await execFileAsync("systemctl", ["--user", "disable", path3.basename(definition.filePath)]).catch(() => void 0);
+    }
+    await rm2(definition.filePath, { force: true }).catch(() => void 0);
+  }
+  return getAutostartStatus();
+}
+async function getAutostartStatus() {
+  const definitions = await allAutostartDefinitions();
+  if (definitions.length === 0) {
+    return unsupportedStatus();
+  }
+  for (const definition of definitions) {
+    const content = await readFile2(definition.filePath, "utf8").catch(() => null);
+    if (content !== null) {
+      return {
+        supported: true,
+        enabled: true,
+        method: definition.method,
+        filePath: definition.filePath
+      };
+    }
+  }
+  const primary = definitions[0];
+  return {
+    supported: true,
+    enabled: false,
+    method: primary.method,
+    filePath: primary.filePath
+  };
+}
+async function resolveAutostartDefinition() {
+  if (process.platform === "darwin") {
+    return launchdDefinition();
+  }
+  if (process.platform === "win32") {
+    return windowsStartupDefinition();
+  }
+  if (process.platform === "linux") {
+    return await hasSystemctlUser() ? systemdUserDefinition() : xdgAutostartDefinition();
+  }
+  return null;
+}
+async function allAutostartDefinitions() {
+  if (process.platform === "darwin") {
+    return [launchdDefinition()];
+  }
+  if (process.platform === "win32") {
+    return [windowsStartupDefinition()];
+  }
+  if (process.platform === "linux") {
+    return [systemdUserDefinition(), xdgAutostartDefinition()];
+  }
+  return [];
+}
+async function hasSystemctlUser() {
+  try {
+    await execFileAsync("systemctl", ["--user", "show-environment"]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function launchdDefinition() {
+  const filePath = path3.join(os3.homedir(), "Library", "LaunchAgents", `${MACOS_LABEL}.plist`);
+  return {
+    method: "launchd",
+    filePath,
+    content: `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${MACOS_LABEL}</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(process.execPath)}</string>
+    <string>${xmlEscape(currentCliScriptPath())}</string>
+    <string>daemon-supervisor</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <false/>
+</dict>
+</plist>
+`
+  };
+}
+function systemdUserDefinition() {
+  const filePath = path3.join(os3.homedir(), ".config", "systemd", "user", "hermeslink.service");
+  return {
+    method: "systemd-user",
+    filePath,
+    content: `[Unit]
+Description=Hermes Link
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${systemdQuote(process.execPath)} ${systemdQuote(currentCliScriptPath())} daemon-supervisor
+Restart=no
+
+[Install]
+WantedBy=default.target
+`
+  };
+}
+function xdgAutostartDefinition() {
+  const filePath = path3.join(os3.homedir(), ".config", "autostart", "hermeslink.desktop");
+  return {
+    method: "xdg-autostart",
+    filePath,
+    content: `[Desktop Entry]
+Type=Application
+Name=Hermes Link
+Exec=${desktopQuote(process.execPath)} ${desktopQuote(currentCliScriptPath())} daemon-supervisor
+Terminal=false
+X-GNOME-Autostart-enabled=true
+`
+  };
+}
+function windowsStartupDefinition() {
+  const appData = process.env.APPDATA ?? path3.join(os3.homedir(), "AppData", "Roaming");
+  const filePath = path3.join(
+    appData,
+    "Microsoft",
+    "Windows",
+    "Start Menu",
+    "Programs",
+    "Startup",
+    "HermesLink.cmd"
+  );
+  return {
+    method: "windows-startup",
+    filePath,
+    content: `@echo off\r
+start "" /min "${process.execPath}" "${currentCliScriptPath()}" daemon-supervisor\r
+`
+  };
+}
+function unsupportedStatus() {
+  return { supported: false, enabled: false, method: "unsupported", filePath: null };
+}
+function xmlEscape(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function systemdQuote(value) {
+  return `"${value.replaceAll("\\", "\\\\").replaceAll('"', '\\"')}"`;
+}
+function desktopQuote(value) {
+  return `"${value.replaceAll("\\", "\\\\").replaceAll('"', '\\"')}"`;
+}
+function currentCliScriptPath() {
+  return process.argv[1];
+}
+
+// src/network/environment.ts
+import { existsSync, readFileSync } from "fs";
+import os4 from "os";
+function detectRuntimeEnvironment(env = process.env) {
+  if (isWsl(env)) {
+    return {
+      kind: "wsl",
+      lanAutoDiscoveryUsable: false,
+      warning: "Detected WSL. The LAN IP found inside WSL is usually a private VM address and is not reachable from your phone. Use Relay or set `hermeslink config set lan-host <Windows LAN IP>`."
+    };
+  }
+  if (isContainer(env)) {
+    return {
+      kind: "container",
+      lanAutoDiscoveryUsable: false,
+      warning: "Detected a container environment. Container LAN IPs are usually not reachable from your phone. Use Relay or set `hermeslink config set lan-host <host LAN IP>`."
+    };
+  }
+  return { kind: "native", lanAutoDiscoveryUsable: true, warning: null };
+}
+function isWsl(env) {
+  if (process.platform !== "linux") {
+    return false;
+  }
+  if (env.WSL_DISTRO_NAME || env.WSL_INTEROP) {
+    return true;
+  }
+  const release = os4.release().toLowerCase();
+  return release.includes("microsoft") || release.includes("wsl");
+}
+function isContainer(env) {
+  if (env.container || env.CONTAINER || env.KUBERNETES_SERVICE_HOST) {
+    return true;
+  }
+  if (existsSync("/.dockerenv")) {
+    return true;
+  }
+  try {
+    const cgroup = readFileSync("/proc/1/cgroup", "utf8").toLowerCase();
+    return /docker|containerd|kubepods|libpod|podman/u.test(cgroup);
+  } catch {
+    return false;
+  }
+}
+
+// src/storage/atomic-json.ts
+import { readFile as readFile3 } from "fs/promises";
+
+// src/storage/atomic-file.ts
+import { randomUUID } from "crypto";
+import {
+  chmod,
+  chown,
+  lstat,
+  mkdir as mkdir3,
+  open as open2,
+  readdir,
+  rename as rename2,
+  rm as rm3,
+  stat as stat2
+} from "fs/promises";
+import path4 from "path";
+async function atomicWriteFilePreservingMetadata(filePath, value, options = {}) {
+  const resolvedPath = path4.resolve(filePath);
+  const directory = path4.dirname(resolvedPath);
+  await ensureDirectoryWithInheritedMetadata(directory, options.directoryMode ?? 448);
+  const existingMetadata = await readExistingFileMetadata(resolvedPath) ?? (options.metadataSourcePath ? await readExistingFileMetadata(path4.resolve(options.metadataSourcePath)) : null);
+  const directoryMetadata = await readPathMetadata(directory);
+  const metadata = {
+    uid: existingMetadata?.uid ?? directoryMetadata.uid,
+    gid: existingMetadata?.gid ?? directoryMetadata.gid,
+    mode: existingMetadata?.mode ?? options.mode ?? 384
+  };
+  const tempPath = path4.join(
+    directory,
+    `.${path4.basename(resolvedPath)}.${process.pid}.${Date.now()}.${randomUUID()}.tmp`
+  );
+  try {
+    const handle = await open2(tempPath, "wx", metadata.mode);
+    try {
+      if (typeof value === "string") {
+        await handle.writeFile(value, options.encoding ?? "utf8");
+      } else {
+        await handle.writeFile(value);
+      }
+      await handle.sync();
+    } finally {
+      await handle.close();
+    }
+    await applyMetadata(tempPath, metadata);
+    await rename2(tempPath, resolvedPath);
+  } catch (error) {
+    await rm3(tempPath, { force: true });
+    throw error;
+  }
+}
+async function ensureDirectoryWithInheritedMetadata(directory, mode) {
+  const { source, missing } = await findExistingAncestor(directory);
+  await mkdir3(directory, { recursive: true, mode });
+  for (const missingDirectory of missing) {
+    await applyMetadata(missingDirectory, { uid: source.uid, gid: source.gid, mode });
+  }
+}
+async function findExistingAncestor(directory) {
+  const missing = [];
+  let current = path4.resolve(directory);
+  while (true) {
+    const currentStat = await stat2(current).catch((error) => {
+      if (isNodeError(error, "ENOENT")) return null;
+      throw error;
+    });
+    if (currentStat) {
+      if (!currentStat.isDirectory()) throw new Error(`${current} is not a directory`);
+      return { source: metadataFromStats(currentStat), missing: missing.reverse() };
+    }
+    missing.push(current);
+    const parent = path4.dirname(current);
+    if (parent === current) throw new Error(`No existing parent directory for ${directory}`);
+    current = parent;
+  }
+}
+async function readExistingFileMetadata(filePath) {
+  const fileStat = await stat2(filePath).catch((error) => {
+    if (isNodeError(error, "ENOENT")) return null;
+    throw error;
+  });
+  if (!fileStat) return null;
+  if (!fileStat.isFile()) throw new Error(`${filePath} is not a file`);
+  return metadataFromStats(fileStat);
+}
+async function readPathMetadata(filePath) {
+  return metadataFromStats(await stat2(filePath));
+}
+async function applyMetadata(filePath, metadata) {
+  await applyOwner(filePath, metadata);
+  await chmod(filePath, metadata.mode);
+}
+async function applyOwner(filePath, metadata) {
+  if (process.platform === "win32") return;
+  const currentUid = typeof process.getuid === "function" ? process.getuid() : void 0;
+  const currentGid = typeof process.getgid === "function" ? process.getgid() : void 0;
+  if (metadata.uid === currentUid && metadata.gid === currentGid) return;
+  try {
+    await chown(filePath, metadata.uid, metadata.gid);
+  } catch (error) {
+    const current = await stat2(filePath);
+    if (current.uid !== metadata.uid || current.gid !== metadata.gid) throw error;
+  }
+}
+function metadataFromStats(statsValue) {
+  return { uid: statsValue.uid, gid: statsValue.gid, mode: statsValue.mode & 511 };
+}
+function isNodeError(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/storage/atomic-json.ts
+async function readJsonFile(filePath) {
+  try {
+    const raw = await readFile3(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch (error) {
+    if (isNodeError(error, "ENOENT")) return null;
+    throw error;
+  }
+}
+async function writeJsonFile(filePath, value, mode = 384) {
+  const payload = `${JSON.stringify(value, null, 2)}
+`;
+  await atomicWriteFilePreservingMetadata(filePath, payload, { mode });
+}
+
+// src/link/state.ts
+import path5 from "path";
+var STATE_FILE = "link-state.json";
+function stateFilePath(paths) {
+  return path5.join(paths.homeDir, STATE_FILE);
+}
+function defaultLinkState() {
+  return {
+    networkReport: {
+      lastReportedAt: null,
+      preferredUrls: [],
+      lanIps: [],
+      publicIpv4s: [],
+      publicIpv6s: []
+    },
+    updateAvailable: null,
+    updateDismissedAt: null
+  };
+}
+async function readLinkState(paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const raw = await readJsonFile(stateFilePath(runtimePaths));
+  if (!raw || typeof raw !== "object") return defaultLinkState();
+  const state = raw;
+  return {
+    networkReport: readNetworkReportState(state.networkReport),
+    updateAvailable: typeof state.updateAvailable === "string" ? state.updateAvailable : null,
+    updateDismissedAt: typeof state.updateDismissedAt === "string" ? state.updateDismissedAt : null
+  };
+}
+function readNetworkReportState(value) {
+  if (!value || typeof value !== "object") {
+    return defaultLinkState().networkReport;
+  }
+  const v = value;
+  return {
+    lastReportedAt: typeof v.lastReportedAt === "string" ? v.lastReportedAt : null,
+    preferredUrls: readStringArray(v.preferredUrls),
+    lanIps: readStringArray(v.lanIps),
+    publicIpv4s: readStringArray(v.publicIpv4s),
+    publicIpv6s: readStringArray(v.publicIpv6s)
+  };
+}
+function readStringArray(value) {
+  if (!Array.isArray(value)) return [];
+  return value.filter((v) => typeof v === "string");
+}
+async function updateNetworkReportState(update, paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const current = await readLinkState(runtimePaths);
+  const next = {
+    ...current,
+    networkReport: { ...current.networkReport, ...update }
+  };
+  await writeJsonFile(stateFilePath(runtimePaths), next);
+  return next;
+}
+async function updateLinkState(update, paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const current = await readLinkState(runtimePaths);
+  const next = { ...current, ...update };
+  await writeJsonFile(stateFilePath(runtimePaths), next);
+  return next;
+}
+
+// src/link/updates.ts
+async function checkForUpdates(options) {
+  const paths = options.paths ?? resolveRuntimePaths();
+  const state = await readLinkState(paths);
+  const fetcher = options.fetchImpl ?? fetch;
+  try {
+    const response = await fetcher(
+      `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/link-versions/latest`,
+      { signal: AbortSignal.timeout(5e3) }
+    );
+    if (!response.ok) {
+      return buildUpdateInfo(state.updateAvailable, state.updateDismissedAt);
+    }
+    const body = await response.json().catch(() => null);
+    const latestVersion = typeof body?.version === "string" ? body.version : null;
+    if (latestVersion && latestVersion !== LINK_VERSION) {
+      await updateLinkState({ updateAvailable: latestVersion }, paths);
+      return buildUpdateInfo(latestVersion, state.updateDismissedAt);
+    }
+    return buildUpdateInfo(latestVersion, state.updateDismissedAt);
+  } catch {
+    return buildUpdateInfo(state.updateAvailable, state.updateDismissedAt);
+  }
+}
+function buildUpdateInfo(availableVersion, dismissedAt) {
+  return {
+    currentVersion: LINK_VERSION,
+    availableVersion,
+    dismissed: dismissedAt !== null
+  };
+}
+async function dismissUpdate(paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  await updateLinkState({ updateDismissedAt: (/* @__PURE__ */ new Date()).toISOString() }, runtimePaths);
+}
+
+// src/security/devices.ts
+import path6 from "path";
+var DEVICES_FILE = "trusted-devices.json";
+function devicesFilePath(paths) {
+  return path6.join(paths.homeDir, DEVICES_FILE);
+}
+async function readTrustedDevices(paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const raw = await readJsonFile(devicesFilePath(runtimePaths));
+  if (!raw || typeof raw !== "object") return [];
+  const reg = raw;
+  if (!Array.isArray(reg.devices)) return [];
+  return reg.devices.filter(isValidDevice);
+}
+function isValidDevice(value) {
+  if (!value || typeof value !== "object") return false;
+  const d = value;
+  return typeof d.deviceId === "string" && typeof d.addedAt === "string";
+}
+async function isDeviceTrusted(deviceId, paths) {
+  const devices = await readTrustedDevices(paths);
+  return devices.some((d) => d.deviceId === deviceId);
+}
+async function recordDeviceSeen(deviceId, paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const devices = await readTrustedDevices(runtimePaths);
+  const device = devices.find((d) => d.deviceId === deviceId);
+  if (device) {
+    device.lastSeenAt = (/* @__PURE__ */ new Date()).toISOString();
+    await saveDevices(devices, runtimePaths);
+  }
+}
+async function saveDevices(devices, paths) {
+  await writeJsonFile(devicesFilePath(paths), { devices });
+}
+
+// src/security/app-connect-token.ts
+import crypto from "crypto";
+import path7 from "path";
+var TOKENS_FILE = "app-connect-tokens.json";
+var TOKEN_EXPIRY_MS = 5 * 60 * 1e3;
+function tokensFilePath(paths) {
+  return path7.join(paths.homeDir, TOKENS_FILE);
+}
+async function readTokens(paths) {
+  const raw = await readJsonFile(tokensFilePath(paths));
+  if (!Array.isArray(raw)) return [];
+  const now = /* @__PURE__ */ new Date();
+  return raw.filter(isValidToken).filter((t) => new Date(t.expiresAt) > now);
+}
+function isValidToken(value) {
+  if (!value || typeof value !== "object") return false;
+  const t = value;
+  return typeof t.token === "string" && typeof t.createdAt === "string" && typeof t.expiresAt === "string";
+}
+async function saveTokens(tokens, paths) {
+  await writeJsonFile(tokensFilePath(paths), tokens);
+}
+async function generateAppConnectToken(paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const now = /* @__PURE__ */ new Date();
+  const token = {
+    token: crypto.randomBytes(32).toString("base64url"),
+    createdAt: now.toISOString(),
+    usedAt: null,
+    expiresAt: new Date(now.getTime() + TOKEN_EXPIRY_MS).toISOString()
+  };
+  const tokens = await readTokens(runtimePaths);
+  tokens.push(token);
+  await saveTokens(tokens, runtimePaths);
+  return token;
+}
+async function consumeAppConnectToken(tokenValue, paths) {
+  const runtimePaths = paths ?? resolveRuntimePaths();
+  const tokens = await readTokens(runtimePaths);
+  const index = tokens.findIndex((t) => t.token === tokenValue && !t.usedAt);
+  if (index === -1) return null;
+  tokens[index].usedAt = (/* @__PURE__ */ new Date()).toISOString();
+  await saveTokens(tokens, runtimePaths);
+  return tokens[index];
+}
+
+// src/http/auth.ts
+var DEVICE_ID_HEADER = "x-hermeslink-device-id";
+var TOKEN_HEADER = "x-hermeslink-connect-token";
+function requireAuth(paths) {
+  return async (ctx, next) => {
+    const deviceId = ctx.get(DEVICE_ID_HEADER);
+    const connectToken = ctx.get(TOKEN_HEADER);
+    if (connectToken) {
+      const token = await consumeAppConnectToken(connectToken, paths);
+      if (!token) {
+        ctx.status = 401;
+        ctx.body = { error: "Invalid or expired connect token" };
+        return;
+      }
+      const trustedDeviceId = deviceId || token.token.slice(0, 16);
+      ctx.state.auth = { deviceId: trustedDeviceId };
+      await next();
+      return;
+    }
+    if (!deviceId) {
+      ctx.status = 401;
+      ctx.body = { error: "Missing device ID" };
+      return;
+    }
+    const trusted = await isDeviceTrusted(deviceId, paths);
+    if (!trusted) {
+      ctx.status = 401;
+      ctx.body = { error: "Device not trusted" };
+      return;
+    }
+    await recordDeviceSeen(deviceId, paths);
+    ctx.state.auth = { deviceId };
+    await next();
+  };
+}
+
+// src/http/routes/system.ts
+function createSystemRouter(options) {
+  const router = new Router({ prefix: "/api/v1/system" });
+  const auth = requireAuth(options.paths);
+  router.get("/status", async (ctx) => {
+    const state = await readLinkState(options.paths);
+    const autostart = await getAutostartStatus();
+    const environment = detectRuntimeEnvironment();
+    ctx.body = {
+      version: LINK_VERSION,
+      linkId: options.identity.link_id,
+      installId: options.identity.install_id,
+      port: options.config.port,
+      autostart: {
+        supported: autostart.supported,
+        enabled: autostart.enabled,
+        method: autostart.method
+      },
+      environment: {
+        kind: environment.kind,
+        warning: environment.warning
+      },
+      networkReport: state.networkReport,
+      updateAvailable: state.updateAvailable
+    };
+  });
+  router.get("/version", (ctx) => {
+    ctx.body = { version: LINK_VERSION };
+  });
+  router.post("/autostart/enable", auth, async (ctx) => {
+    const status = await enableAutostart();
+    ctx.body = status;
+  });
+  router.post("/autostart/disable", auth, async (ctx) => {
+    const status = await disableAutostart();
+    ctx.body = status;
+  });
+  router.get("/logs", auth, async (ctx) => {
+    const limit = Number(ctx.query.limit) || void 0;
+    const entries = await readRecentLogEntries({ paths: options.paths, limit });
+    ctx.body = { entries };
+  });
+  router.get("/logs/gateway", auth, async (ctx) => {
+    const limit = Number(ctx.query.limit) || void 0;
+    const entries = await readRecentGatewayLogEntries({ paths: options.paths, limit });
+    ctx.body = { entries };
+  });
+  router.get("/updates", auth, async (ctx) => {
+    const info = await checkForUpdates({
+      relayBaseUrl: options.config.relayBaseUrl,
+      paths: options.paths
+    });
+    ctx.body = info;
+  });
+  router.post("/updates/dismiss", auth, async (ctx) => {
+    await dismissUpdate(options.paths);
+    ctx.body = { ok: true };
+  });
+  return router;
+}
+
+// src/http/routes/statistics.ts
+import Router2 from "@koa/router";
+function createStatisticsRouter(options) {
+  const router = new Router2({ prefix: "/api/v1/statistics" });
+  const auth = requireAuth(options.paths);
+  router.get("/conversations", auth, (ctx) => {
+    const { from, to, profile } = ctx.query;
+    let query = `SELECT date, profile_name, conversation_count, message_count,
+      total_input_tokens, total_output_tokens
+      FROM conversation_stats WHERE 1=1`;
+    const params = [];
+    if (typeof from === "string") {
+      query += " AND date >= ?";
+      params.push(from);
+    }
+    if (typeof to === "string") {
+      query += " AND date <= ?";
+      params.push(to);
+    }
+    if (typeof profile === "string" && profile) {
+      query += " AND profile_name = ?";
+      params.push(profile);
+    }
+    query += " ORDER BY date DESC, profile_name ASC LIMIT 500";
+    const rows = options.db.prepare(query).all(...params);
+    ctx.body = { rows };
+  });
+  router.get("/usage", auth, (ctx) => {
+    const { from, to, profile, model } = ctx.query;
+    let query = `SELECT date, profile_name, model,
+      input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, run_count
+      FROM run_usage_facts WHERE 1=1`;
+    const params = [];
+    if (typeof from === "string") {
+      query += " AND date >= ?";
+      params.push(from);
+    }
+    if (typeof to === "string") {
+      query += " AND date <= ?";
+      params.push(to);
+    }
+    if (typeof profile === "string" && profile) {
+      query += " AND profile_name = ?";
+      params.push(profile);
+    }
+    if (typeof model === "string" && model) {
+      query += " AND model = ?";
+      params.push(model);
+    }
+    query += " ORDER BY date DESC, profile_name ASC, model ASC LIMIT 1000";
+    const rows = options.db.prepare(query).all(...params);
+    ctx.body = { rows };
+  });
+  router.post("/conversations/upsert", auth, (ctx) => {
+    const body = ctx.request.body;
+    if (!body || typeof body !== "object") {
+      ctx.status = 400;
+      ctx.body = { error: "Invalid body" };
+      return;
+    }
+    const { date, profileName, conversationCount, messageCount, totalInputTokens, totalOutputTokens } = body;
+    if (!date || !profileName) {
+      ctx.status = 400;
+      ctx.body = { error: "Missing required fields: date, profileName" };
+      return;
+    }
+    options.db.prepare(
+      `INSERT INTO conversation_stats
+          (date, profile_name, conversation_count, message_count, total_input_tokens, total_output_tokens)
+          VALUES (?, ?, ?, ?, ?, ?)
+          ON CONFLICT (date, profile_name) DO UPDATE SET
+            conversation_count = excluded.conversation_count,
+            message_count = excluded.message_count,
+            total_input_tokens = excluded.total_input_tokens,
+            total_output_tokens = excluded.total_output_tokens`
+    ).run(
+      date,
+      profileName,
+      Number(conversationCount) || 0,
+      Number(messageCount) || 0,
+      Number(totalInputTokens) || 0,
+      Number(totalOutputTokens) || 0
+    );
+    ctx.body = { ok: true };
+  });
+  router.post("/usage/upsert", auth, (ctx) => {
+    const body = ctx.request.body;
+    if (!body || typeof body !== "object") {
+      ctx.status = 400;
+      ctx.body = { error: "Invalid body" };
+      return;
+    }
+    const { date, profileName, model, inputTokens, outputTokens, cacheCreationTokens, cacheReadTokens, runCount } = body;
+    if (!date || !profileName || !model) {
+      ctx.status = 400;
+      ctx.body = { error: "Missing required fields: date, profileName, model" };
+      return;
+    }
+    options.db.prepare(
+      `INSERT INTO run_usage_facts
+          (date, profile_name, model, input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens, run_count)
+          VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+          ON CONFLICT (date, profile_name, model) DO UPDATE SET
+            input_tokens = excluded.input_tokens,
+            output_tokens = excluded.output_tokens,
+            cache_creation_tokens = excluded.cache_creation_tokens,
+            cache_read_tokens = excluded.cache_read_tokens,
+            run_count = excluded.run_count`
+    ).run(
+      date,
+      profileName,
+      model,
+      Number(inputTokens) || 0,
+      Number(outputTokens) || 0,
+      Number(cacheCreationTokens) || 0,
+      Number(cacheReadTokens) || 0,
+      Number(runCount) || 0
+    );
+    ctx.body = { ok: true };
+  });
+  return router;
+}
+
+// src/relay/relay-client.ts
+import { EventEmitter } from "events";
+
+// src/identity/identity.ts
+import { generateKeyPairSync, randomUUID as randomUUID2, sign } from "crypto";
+import { chmod as chmod2, mkdir as mkdir4 } from "fs/promises";
+import { z } from "zod";
+var linkIdentitySchema = z.object({
+  install_id: z.string().min(1),
+  link_id: z.string().min(1).nullable().optional(),
+  public_key_pem: z.string().min(1),
+  private_key_pem: z.string().min(1),
+  created_at: z.string().min(1),
+  updated_at: z.string().min(1)
+});
+async function loadIdentity(paths = resolveRuntimePaths()) {
+  const value = await readJsonFile(paths.identityFile);
+  if (value === null) {
+    return null;
+  }
+  return linkIdentitySchema.parse(value);
+}
+async function ensureIdentity(paths = resolveRuntimePaths()) {
+  const existing = await loadIdentity(paths);
+  if (existing) {
+    return existing;
+  }
+  await mkdir4(paths.homeDir, { recursive: true, mode: 448 });
+  await chmod2(paths.homeDir, 448).catch(() => void 0);
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const identity = {
+    install_id: `install_${randomUUID2().replaceAll("-", "")}`,
+    link_id: null,
+    public_key_pem: publicKey.export({ type: "spki", format: "pem" }).toString(),
+    private_key_pem: privateKey.export({ type: "pkcs8", format: "pem" }).toString(),
+    created_at: now,
+    updated_at: now
+  };
+  await writeJsonFile(paths.identityFile, identity);
+  return identity;
+}
+async function saveAssignedLinkId(linkId, paths = resolveRuntimePaths()) {
+  const identity = await ensureIdentity(paths);
+  const next = {
+    ...identity,
+    link_id: linkId,
+    updated_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await writeJsonFile(paths.identityFile, next);
+  return next;
+}
+function signRelayNonce(identity, nonce) {
+  return signIdentityPayload(identity, nonce);
+}
+function signIdentityPayload(identity, payload) {
+  const signature = sign(null, Buffer.from(payload, "utf8"), identity.private_key_pem);
+  return signature.toString("base64url");
+}
+
+// src/relay/bootstrap.ts
+async function bootstrapWithRelay(options) {
+  const fetcher = options.fetchImpl ?? fetch;
+  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
+  const nonceResponse = await fetcher(`${baseUrl}/api/v1/relay/links/nonce`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ install_id: options.identity.install_id })
+  });
+  if (!nonceResponse.ok) {
+    throw new Error(`Relay nonce request failed: ${nonceResponse.status}`);
+  }
+  const nonceBody = await nonceResponse.json();
+  const nonce = typeof nonceBody.nonce === "string" ? nonceBody.nonce : null;
+  if (!nonce) {
+    throw new Error("Relay did not return a nonce");
+  }
+  const signature = signRelayNonce(options.identity, nonce);
+  const registerResponse = await fetcher(`${baseUrl}/api/v1/relay/links`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      install_id: options.identity.install_id,
+      public_key_pem: options.identity.public_key_pem,
+      nonce,
+      signature,
+      port: options.port
+    })
+  });
+  if (!registerResponse.ok) {
+    throw new Error(`Relay registration failed: ${registerResponse.status}`);
+  }
+  const registerBody = await registerResponse.json();
+  const linkId = typeof registerBody.link_id === "string" ? registerBody.link_id : null;
+  const token = typeof registerBody.token === "string" ? registerBody.token : null;
+  if (!linkId || !token) {
+    throw new Error("Relay registration response missing link_id or token");
+  }
+  return { linkId, token };
+}
+async function refreshRelayToken(options) {
+  const fetcher = options.fetchImpl ?? fetch;
+  const baseUrl = options.relayBaseUrl.replace(/\/+$/u, "");
+  const nonceResponse = await fetcher(`${baseUrl}/api/v1/relay/links/nonce`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ install_id: options.identity.install_id })
+  });
+  if (!nonceResponse.ok) {
+    throw new Error(`Relay nonce request failed: ${nonceResponse.status}`);
+  }
+  const nonceBody = await nonceResponse.json();
+  const nonce = typeof nonceBody.nonce === "string" ? nonceBody.nonce : null;
+  if (!nonce) throw new Error("Relay did not return a nonce");
+  const signature = signRelayNonce(options.identity, nonce);
+  const tokenResponse = await fetcher(
+    `${baseUrl}/api/v1/relay/links/${options.identity.link_id}/token`,
+    {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        install_id: options.identity.install_id,
+        nonce,
+        signature
+      })
+    }
+  );
+  if (!tokenResponse.ok) {
+    throw new Error(`Relay token refresh failed: ${tokenResponse.status}`);
+  }
+  const tokenBody = await tokenResponse.json();
+  const token = typeof tokenBody.token === "string" ? tokenBody.token : null;
+  if (!token) throw new Error("Relay did not return a token");
+  return token;
+}
+
+// src/relay/relay-client.ts
+var WS;
+try {
+  WS = WebSocket;
+} catch {
+}
+var RelayClient = class extends EventEmitter {
+  options;
+  ws = null;
+  state = "disconnected";
+  token;
+  logger;
+  reconnectTimer = null;
+  pingTimer = null;
+  reconnectDelay;
+  closed = false;
+  constructor(options) {
+    super();
+    this.options = options;
+    this.token = options.token;
+    this.reconnectDelay = options.reconnectDelayMs ?? 1e3;
+    this.logger = createFileLogger({ paths: options.paths });
+  }
+  get currentState() {
+    return this.state;
+  }
+  start() {
+    if (this.closed) return;
+    this.connect();
+  }
+  stop() {
+    this.closed = true;
+    this.clearTimers();
+    if (this.ws) {
+      this.state = "closing";
+      try {
+        this.ws.close(1e3, "client shutdown");
+      } catch {
+      }
+    }
+  }
+  send(message) {
+    if (this.state !== "connected" || !this.ws) return;
+    try {
+      this.ws.send(JSON.stringify(message));
+    } catch (err) {
+      this.logger.warn("Failed to send relay message", { error: String(err) }).catch(() => void 0);
+    }
+  }
+  connect() {
+    if (this.closed) return;
+    this.state = "connecting";
+    const wsUrl = this.buildWsUrl();
+    try {
+      const ws = new WS(wsUrl, {
+        headers: { authorization: `Bearer ${this.token}` }
+      });
+      this.ws = ws;
+      ws.addEventListener("open", () => {
+        this.reconnectDelay = this.options.reconnectDelayMs ?? 1e3;
+        this.state = "connected";
+        this.startPing();
+        this.emit("connected");
+        this.logger.info("Relay WebSocket connected").catch(() => void 0);
+      });
+      ws.addEventListener("message", (event) => {
+        try {
+          const message = JSON.parse(event.data);
+          this.emit("message", message);
+        } catch {
+        }
+      });
+      ws.addEventListener("close", (event) => {
+        this.stopPing();
+        this.ws = null;
+        this.state = "disconnected";
+        this.emit("disconnected", { code: event.code, reason: event.reason });
+        if (!this.closed) {
+          this.scheduleReconnect();
+        }
+      });
+      ws.addEventListener("error", (event) => {
+        this.logger.warn("Relay WebSocket error", { error: String(event) }).catch(() => void 0);
+      });
+    } catch (err) {
+      this.state = "disconnected";
+      this.logger.warn("Failed to create WebSocket", { error: String(err) }).catch(() => void 0);
+      if (!this.closed) {
+        this.scheduleReconnect();
+      }
+    }
+  }
+  buildWsUrl() {
+    const base = this.options.relayBaseUrl.replace(/\/+$/u, "").replace(/^http/u, "ws");
+    return `${base}/api/v1/relay/links/${this.options.identity.link_id}/ws`;
+  }
+  scheduleReconnect() {
+    const maxDelay = this.options.maxReconnectDelayMs ?? 3e4;
+    const delay = Math.min(this.reconnectDelay, maxDelay);
+    this.reconnectDelay = Math.min(this.reconnectDelay * 2, maxDelay);
+    this.reconnectTimer = setTimeout(() => {
+      if (this.closed) return;
+      this.maybeRefreshTokenAndReconnect().catch(() => void 0);
+    }, delay);
+  }
+  async maybeRefreshTokenAndReconnect() {
+    try {
+      this.token = await refreshRelayToken({
+        relayBaseUrl: this.options.relayBaseUrl,
+        identity: this.options.identity,
+        fetchImpl: this.options.fetchImpl
+      });
+    } catch {
+    }
+    this.connect();
+  }
+  startPing() {
+    const intervalMs = this.options.pingIntervalMs ?? 25e3;
+    this.pingTimer = setInterval(() => {
+      if (this.state === "connected" && this.ws) {
+        try {
+          this.ws.send(JSON.stringify({ type: "ping" }));
+        } catch {
+        }
+      }
+    }, intervalMs);
+  }
+  stopPing() {
+    if (this.pingTimer !== null) {
+      clearInterval(this.pingTimer);
+      this.pingTimer = null;
+    }
+  }
+  clearTimers() {
+    this.stopPing();
+    if (this.reconnectTimer !== null) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+  }
+};
+
+// src/network/topology.ts
+import os5 from "os";
+
+// src/config/config.ts
+var defaultLinkConfig = {
+  port: LINK_DEFAULT_PORT,
+  lanHost: null,
+  serverBaseUrl: "https://hermes-server.clawpilot.me",
+  relayBaseUrl: "https://hermes-relay.clawpilot.me",
+  appConnectTokenIssuer: "https://hermes-server.clawpilot.me",
+  appConnectTokenAudience: "hermes-link",
+  language: "auto",
+  logLevel: "warn"
+};
+async function loadConfig(paths = resolveRuntimePaths()) {
+  const existing = await readJsonFile(paths.configFile);
+  const language = normalizeConfiguredLanguage(existing?.language);
+  const lanHost = normalizeLanHost(existing?.lanHost);
+  const logLevel = normalizeLogLevel(existing?.logLevel ?? process.env.HERMESLINK_LOG_LEVEL);
+  return {
+    ...defaultLinkConfig,
+    ...existing ?? {},
+    language,
+    lanHost,
+    logLevel
+  };
+}
+async function saveConfig(patch, paths = resolveRuntimePaths()) {
+  const current = await loadConfig(paths);
+  const next = {
+    ...current,
+    ...patch,
+    logLevel: patch.logLevel === void 0 ? current.logLevel : normalizeLogLevel(patch.logLevel)
+  };
+  await writeJsonFile(paths.configFile, next);
+  return next;
+}
+function normalizeConfiguredLanguage(language) {
+  if (language === "zh-CN" || language === "en" || language === "auto") {
+    return language;
+  }
+  return defaultLinkConfig.language;
+}
+function normalizeLogLevel(level) {
+  if (level === "debug" || level === "info" || level === "warn" || level === "error") {
+    return level;
+  }
+  return defaultLinkConfig.logLevel;
+}
+function normalizeLanHost(value) {
+  if (value === null || value === void 0) {
+    return null;
+  }
+  if (typeof value !== "string") {
+    return null;
+  }
+  const host = value.trim().replace(/^\[/u, "").replace(/\]$/u, "");
+  if (!host) {
+    return null;
+  }
+  if (!isUsableLanIpv4(host)) {
+    return null;
+  }
+  return host;
+}
+function isUsableLanIpv4(value) {
+  const parts = value.split(".").map((part) => Number.parseInt(part, 10));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
+    return false;
+  }
+  const [first, second, , fourth] = parts;
+  const privateRange = first === 10 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168;
+  return privateRange && fourth !== 0 && fourth !== 255;
+}
+
+// src/network/topology.ts
+var VIRTUAL_INTERFACE_NAME_PATTERN = /(docker|veth|vmnet|vmenet|vbox|virtualbox|vmware|tailscale|zerotier|wireguard|utun|virbr|hyper-v|vethernet|loopback|\blo\b|^lo\d*$|^br-|^bridge\d+$|^zt|^tun|^tap|awdl|llw|anpi|gif|stf|ipsec|ppp)/iu;
+var MAX_LAN_IPS = 4;
+var MAX_PUBLIC_IPV4S = 2;
+var MAX_PUBLIC_IPV6S = 2;
+async function discoverRouteCandidates(options) {
+  const environment = detectRuntimeEnvironment();
+  const configuredLanHost = normalizeLanHost(options.configuredLanHost);
+  const lanIps = configuredLanHost ? [configuredLanHost] : environment.lanAutoDiscoveryUsable ? discoverLanIps() : [];
+  const publicIps = options.relayBootstrapToken || options.observePublicRoute ? await observePublicRoute(options).catch(() => ({ publicIpv4s: [], publicIpv6s: [] })) : { publicIpv4s: [], publicIpv6s: [] };
+  const publicIpv4s = unique(publicIps.publicIpv4s.filter(isUsablePublicIpv4)).slice(0, MAX_PUBLIC_IPV4S);
+  const publicIpv6s = unique(publicIps.publicIpv6s.filter(isUsablePublicIpv6)).slice(0, MAX_PUBLIC_IPV6S);
+  const preferredUrls = [
+    ...lanIps.map((ip) => buildDirectUrl(ip, options.port)),
+    ...publicIpv4s.map((ip) => buildDirectUrl(ip, options.port)),
+    ...publicIpv6s.map((ip) => buildDirectUrl(ip, options.port)),
+    `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/links/${options.linkId}`
+  ];
+  return { lanIps, publicIpv4s, publicIpv6s, preferredUrls, environment };
+}
+function discoverLanIps() {
+  return discoverLanIpsFromInterfaces(os5.networkInterfaces());
+}
+function discoverLanIpsFromInterfaces(interfaces) {
+  const result = /* @__PURE__ */ new Set();
+  const candidates = [];
+  for (const [name, items] of Object.entries(interfaces)) {
+    if (shouldIgnoreInterface(name)) continue;
+    for (const item of items ?? []) {
+      if (!item.internal && item.address && item.family === "IPv4" && isUsableLanIpv42(item.address, item.netmask)) {
+        candidates.push({ name, address: item.address });
+      }
+    }
+  }
+  for (const candidate of candidates.sort(compareLanCandidate)) {
+    result.add(candidate.address);
+  }
+  return [...result].slice(0, MAX_LAN_IPS);
+}
+async function observePublicRoute(options) {
+  const fetcher = options.fetchImpl ?? fetch;
+  const response = await fetcher(
+    `${options.relayBaseUrl.replace(/\/+$/u, "")}/api/v1/relay/public-route/observe`,
+    {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...options.relayBootstrapToken ? { authorization: `Bearer ${options.relayBootstrapToken}` } : {}
+      },
+      body: JSON.stringify({
+        install_id: options.installId,
+        link_id: options.linkId,
+        public_key_pem: options.publicKeyPem
+      })
+    }
+  );
+  const payload = await response.json().catch(() => null);
+  const record = typeof payload?.record === "object" && payload.record !== null ? payload.record : null;
+  const observed = typeof payload?.observed === "object" && payload.observed !== null ? payload.observed : null;
+  const values = [
+    readIpRecord(record?.ipv4),
+    readIpRecord(record?.ipv6),
+    typeof observed?.ip === "string" ? observed.ip : null
+  ].filter((v) => Boolean(v));
+  return {
+    publicIpv4s: unique(values.filter(isUsablePublicIpv4)),
+    publicIpv6s: unique(values.filter(isUsablePublicIpv6))
+  };
+}
+function readIpRecord(value) {
+  if (typeof value !== "object" || value === null) return null;
+  const ip = value.ip;
+  return typeof ip === "string" && ip.trim() ? ip.trim() : null;
+}
+function buildDirectUrl(ip, port) {
+  return `http://${ip.includes(":") ? `[${ip}]` : ip}:${port}`;
+}
+function shouldIgnoreInterface(name) {
+  return !name.trim() || VIRTUAL_INTERFACE_NAME_PATTERN.test(name);
+}
+function compareLanCandidate(left, right) {
+  const priority = interfacePriority(left.name) - interfacePriority(right.name);
+  return priority || left.name.localeCompare(right.name) || left.address.localeCompare(right.address);
+}
+function interfacePriority(name) {
+  return /^(en|eth|wlan|wi-fi|wifi)/iu.test(name) ? 0 : 1;
+}
+function isUsableLanIpv42(address, netmask) {
+  return isPrivateIpv4(address) && !isNetworkOrBroadcastIpv4Address(address, netmask);
+}
+function isUsablePublicIpv4(address) {
+  return isValidIpv4(address) && !isSpecialIpv4(address);
+}
+function isUsablePublicIpv6(address) {
+  const normalized = address.toLowerCase();
+  return normalized.includes(":") && !normalized.startsWith("fe80:") && !normalized.startsWith("fc") && !normalized.startsWith("fd") && !normalized.startsWith("ff") && normalized !== "::" && normalized !== "::1";
+}
+function isPrivateIpv4(address) {
+  const parts = parseIpv4Segments(address);
+  if (!parts) return false;
+  const [first, second] = parts;
+  return first === 10 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168;
+}
+function isSpecialIpv4(address) {
+  const parts = parseIpv4Segments(address);
+  if (!parts) return true;
+  const [first, second, third, fourth] = parts;
+  return first === 0 || first === 10 || first === 127 || first >= 224 || first === 100 && second >= 64 && second <= 127 || first === 169 && second === 254 || first === 172 && second >= 16 && second <= 31 || first === 192 && second === 168 || first === 192 && second === 0 && third === 2 || first === 198 && (second === 18 || second === 19) || first === 198 && second === 51 && third === 100 || first === 203 && second === 0 && third === 113 || first === 255 && second === 255 && third === 255 && fourth === 255;
+}
+function isNetworkOrBroadcastIpv4Address(address, netmask) {
+  const addressParts = parseIpv4Segments(address);
+  const netmaskParts = netmask ? parseIpv4Segments(netmask) : null;
+  if (!addressParts) return true;
+  if (!netmaskParts) {
+    const last = addressParts[3];
+    return last === 0 || last === 255;
+  }
+  const addressInt = ipv4SegmentsToInt(addressParts);
+  const netmaskInt = ipv4SegmentsToInt(netmaskParts);
+  const hostMask = ~netmaskInt >>> 0;
+  if (hostMask === 0) return false;
+  const networkInt = addressInt & netmaskInt;
+  const broadcastInt = (networkInt | hostMask) >>> 0;
+  return addressInt === networkInt || addressInt === broadcastInt;
+}
+function isValidIpv4(address) {
+  return Boolean(parseIpv4Segments(address));
+}
+function parseIpv4Segments(address) {
+  if (!/^\d{1,3}(?:\.\d{1,3}){3}$/u.test(address)) return null;
+  const parts = address.split(".").map((part) => Number.parseInt(part, 10));
+  if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+  return parts;
+}
+function ipv4SegmentsToInt(parts) {
+  return (parts[0] << 24 >>> 0 | parts[1] << 16 | parts[2] << 8 | parts[3]) >>> 0;
+}
+function unique(values) {
+  return [...new Set(values)];
+}
+
+// src/storage/sqlite.ts
+import Database from "better-sqlite3";
+function openSqliteDatabase(filePath, options = {}) {
+  return new Database(filePath, {
+    ...options.readonly === void 0 ? {} : { readonly: options.readonly, fileMustExist: options.readonly },
+    ...options.timeout === void 0 ? {} : { timeout: options.timeout }
+  });
+}
+
+// src/storage/link-database.ts
+import { mkdir as mkdir5 } from "fs/promises";
+import path8 from "path";
+async function initLinkDatabase(paths) {
+  await mkdir5(path8.dirname(paths.databaseFile), { recursive: true, mode: 448 });
+  const db = openDb(paths);
+  try {
+    db.exec(`
+      PRAGMA foreign_keys = ON;
+      PRAGMA busy_timeout = 5000;
+      PRAGMA journal_mode = WAL;
+
+      CREATE TABLE IF NOT EXISTS conversation_stats (
+        conversation_id   TEXT PRIMARY KEY,
+        kind              TEXT NOT NULL,
+        title             TEXT NOT NULL,
+        status            TEXT NOT NULL,
+        hermes_session_id TEXT NOT NULL,
+        profile_uid       TEXT,
+        profile_name_snapshot TEXT,
+        profile           TEXT,
+        model             TEXT,
+        provider          TEXT,
+        context_window    INTEGER,
+        input_tokens      INTEGER NOT NULL DEFAULT 0,
+        output_tokens     INTEGER NOT NULL DEFAULT 0,
+        total_tokens      INTEGER NOT NULL DEFAULT 0,
+        message_count     INTEGER NOT NULL DEFAULT 0,
+        run_count         INTEGER NOT NULL DEFAULT 0,
+        created_at        TEXT NOT NULL,
+        updated_at        TEXT NOT NULL,
+        deleted_at        TEXT,
+        stats_updated_at  TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_status
+        ON conversation_stats(status);
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_updated_at
+        ON conversation_stats(updated_at);
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_model
+        ON conversation_stats(model);
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile
+        ON conversation_stats(profile);
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile_uid
+        ON conversation_stats(profile_uid);
+      CREATE INDEX IF NOT EXISTS idx_conversation_stats_profile_name_snapshot
+        ON conversation_stats(profile_name_snapshot);
+
+      CREATE TABLE IF NOT EXISTS profile_registry (
+        profile_uid   TEXT PRIMARY KEY,
+        profile_name  TEXT NOT NULL UNIQUE,
+        profile_path  TEXT NOT NULL,
+        display_name  TEXT,
+        description   TEXT,
+        avatar_type   TEXT NOT NULL DEFAULT 'default',
+        avatar_url    TEXT,
+        created_at    TEXT NOT NULL,
+        updated_at    TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_profile_registry_profile_name
+        ON profile_registry(profile_name);
+
+      CREATE TABLE IF NOT EXISTS run_usage_facts (
+        run_id                TEXT PRIMARY KEY,
+        conversation_id       TEXT NOT NULL,
+        profile_uid           TEXT,
+        profile_name_snapshot TEXT,
+        profile               TEXT,
+        model                 TEXT,
+        provider              TEXT,
+        input_tokens          INTEGER NOT NULL DEFAULT 0,
+        output_tokens         INTEGER NOT NULL DEFAULT 0,
+        total_tokens          INTEGER NOT NULL DEFAULT 0,
+        message_count         INTEGER NOT NULL DEFAULT 0,
+        started_at            TEXT NOT NULL,
+        completed_at          TEXT NOT NULL,
+        updated_at            TEXT NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_completed_at
+        ON run_usage_facts(completed_at);
+      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_conversation_id
+        ON run_usage_facts(conversation_id);
+      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_model
+        ON run_usage_facts(model);
+      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_profile_uid
+        ON run_usage_facts(profile_uid);
+      CREATE INDEX IF NOT EXISTS idx_run_usage_facts_profile_name_snapshot
+        ON run_usage_facts(profile_name_snapshot);
+    `);
+  } finally {
+    db.close();
+  }
+}
+function openDb(paths) {
+  const db = openSqliteDatabase(paths.databaseFile, { timeout: 5e3 });
+  db.exec("PRAGMA foreign_keys = ON; PRAGMA busy_timeout = 5000; PRAGMA journal_mode = WAL;");
+  return db;
+}
+
+// src/http/app.ts
+async function startLinkService(options) {
+  const { config, identity, paths, relayToken } = options;
+  const logger = createLogger({ paths, fileName: "link.log", level: config.logLevel });
+  await initLinkDatabase(paths);
+  const db = openSqliteDatabase(paths.databaseFile, { timeout: 5e3 });
+  const app = new Koa();
+  app.use(cors({ origin: "*" }));
+  app.use(bodyParser({ jsonLimit: "10mb" }));
+  app.use(async (ctx, next) => {
+    try {
+      await next();
+    } catch (err) {
+      const error = err;
+      ctx.status = error.status ?? error.statusCode ?? 500;
+      ctx.body = { error: error.message ?? "Internal server error" };
+      logger.error({ path: ctx.path, status: ctx.status, err: error.message }, "Request error");
+    }
+  });
+  const rootRouter = new Router3();
+  rootRouter.get("/pair", (ctx) => {
+    const connectToken = typeof ctx.query.connect_token === "string" ? ctx.query.connect_token : "";
+    ctx.type = "text/html";
+    ctx.body = buildPairingPage({ port: config.port, connectToken });
+  });
+  app.use(rootRouter.routes());
+  app.use(rootRouter.allowedMethods());
+  const systemRouter = createSystemRouter({ config, identity, paths });
+  app.use(systemRouter.routes());
+  app.use(systemRouter.allowedMethods());
+  const statsRouter = createStatisticsRouter({ db, paths });
+  app.use(statsRouter.routes());
+  app.use(statsRouter.allowedMethods());
+  const server = await new Promise((resolve, reject) => {
+    const s = app.listen(config.port, "127.0.0.1", () => resolve(s));
+    s.once("error", reject);
+  });
+  const relayClient = new RelayClient({
+    relayBaseUrl: config.relayBaseUrl,
+    identity,
+    token: relayToken,
+    paths
+  });
+  relayClient.start();
+  reportNetwork({ config, identity, paths }).catch(() => void 0);
+  const stop = async () => {
+    relayClient.stop();
+    await new Promise((resolve) => server.close(() => resolve()));
+    db.close();
+    logger.info("Link service stopped");
+  };
+  return { app, server, relayClient, stop };
+}
+async function reportNetwork(options) {
+  const candidates = await discoverRouteCandidates({
+    configuredLanHost: options.config.lanHost,
+    relayBaseUrl: options.config.relayBaseUrl,
+    linkId: options.identity.link_id ?? "",
+    port: options.config.port,
+    installId: options.identity.install_id,
+    publicKeyPem: options.identity.public_key_pem
+  });
+  await updateNetworkReportState(
+    {
+      lastReportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      preferredUrls: candidates.preferredUrls,
+      lanIps: candidates.lanIps,
+      publicIpv4s: candidates.publicIpv4s,
+      publicIpv6s: candidates.publicIpv6s
+    },
+    options.paths
+  );
+}
+function buildPairingPage(options) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Hermes Link \u2014 Pairing</title>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #0f0f0f; color: #e5e5e5; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+    .card { background: #1a1a1a; border: 1px solid #2a2a2a; border-radius: 12px; padding: 2rem; max-width: 420px; width: 100%; text-align: center; }
+    h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
+    p { color: #a0a0a0; font-size: 0.9rem; margin-bottom: 1.5rem; line-height: 1.5; }
+    .token { font-family: monospace; background: #0f0f0f; border: 1px solid #333; border-radius: 6px; padding: 0.75rem 1rem; font-size: 0.85rem; word-break: break-all; color: #7dd3fc; margin-bottom: 1.5rem; }
+    button { background: #3b82f6; color: #fff; border: none; border-radius: 8px; padding: 0.75rem 1.5rem; font-size: 0.95rem; cursor: pointer; width: 100%; }
+    button:hover { background: #2563eb; }
+    .status { margin-top: 1rem; font-size: 0.85rem; color: #6ee7b7; display: none; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Hermes Link Pairing</h1>
+    <p>Use this page to pair your device with the local Hermes Link service running on port ${options.port}.</p>
+    <div class="token" id="token">${options.connectToken}</div>
+    <button onclick="pair()">Pair This Device</button>
+    <div class="status" id="status">Paired successfully!</div>
+  </div>
+  <script>
+    async function pair() {
+      const token = document.getElementById('token').textContent;
+      try {
+        const res = await fetch('http://127.0.0.1:${options.port}/api/v1/system/status', {
+          headers: { 'x-hermeslink-connect-token': token }
+        });
+        if (res.ok) {
+          document.getElementById('status').style.display = 'block';
+        }
+      } catch (e) {
+        alert('Pairing failed: ' + e.message);
+      }
+    }
+  </script>
+</body>
+</html>`;
+}
+
+export {
+  LINK_COMMAND,
+  LINK_VERSION,
+  DAEMON_LOG_FILE,
+  resolveRuntimePaths,
+  loadConfig,
+  saveConfig,
+  normalizeLanHost,
+  loadIdentity,
+  ensureIdentity,
+  saveAssignedLinkId,
+  enableAutostart,
+  disableAutostart,
+  getAutostartStatus,
+  currentCliScriptPath,
+  detectRuntimeEnvironment,
+  createRotatingTextLogWriter,
+  readRecentLogEntries,
+  readRecentGatewayLogEntries,
+  bootstrapWithRelay,
+  generateAppConnectToken,
+  startLinkService
+};